Why not a simple ACL for a group? Do the applications bind anonymously?

Of course it does. I said it was ill-designed :-)

A nicer approach would probably to have a hidden jpegPhoto: it would not
be sent to a client requesting all attributes, but a client explicitely
requesting a set of attribute including jpegPhoto would get it.

I guess you will run into problems with some apps where you do want the
jpegPhoto to be displayed.

Fortunately, the only apps I have that use the jpegPhoto are wise enough
to provide a set of attributes.

I think what you propose makes sense, I see few cases where it would be
definitely useful. In general, anything gives an administrator the
possibility to tune resource exhaustion sounds welcome. I think an
overlay is the right place.

With respect to your specific problem, you should be able to do
something close to what you need by loading your jpegPhoto as
jpegPhoto;x-mustberequested, then only allow access to this attribute
and not to plain jpegPhoto.